Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ClaudioRezende
New Contributor

Fortigate - Virtual IP / One public IP for two internal web servers using same 443 ports

Hi guys,

In my domain I have two web Servers appliccation and I need to publish both. They are hosted in differente internal web servers.
I only have one public IP to do that and both need to use https port.

Ex:
webserver1.mydomain.com  / 200.10.10.10:443 > 192.168.1.10:443

 

webserver2.mydomain.com / 200.10.10.10:443 > 192.168.1.11:443

 

Is it possible configure Fotigate to do it with virtual IP?
Fortigate will be able to match different fqdn and redirect to correct web server ?

 

Regards ,

3 Solutions
amouawad
Staff
Staff

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

View solution in original post

ede_pfau
Esteemed Contributor III

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
Debbie_FTNT
Staff
Staff

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

8 REPLIES 8
ede_pfau
Esteemed Contributor III

hi,

not as far as I know. The feature you are looking for is called "URL routing", and is available in a FortiADC for instance (a reverse proxy). The Fortigate knows how to exchange destination IP address and/or destination port, and that's it. A VIP will not look at a HTTP request to route the traffic to one of two internal webservers - Fortigate VIP is on layer 4, URL routing on layer 7.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
amouawad
Staff
Staff

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

ClaudioRezende

Thanks a lot !!!

FusionScott

What is the "Virtual Server IP" in this scenario? Is it the external IP? What if I'm using dynamic DNS?

abelio
Valued Contributor


@FusionScott wrote:

What is the "Virtual Server IP" in this scenario? Is it the external IP?

 


Indeed.

 


What if I'm using dynamic DNS?


A different problem to solve, but no with Fortigate.
You'll need another approach

regards




/ Abel

regards / Abel
nicolasj

Hello

 

I just read this and i was having the same issue. Now i can have 2 web servers with only 1 public IP. 

Now i have another issue. I know that i have to create an inboung rule to allow access from internet to the servers. I want to know how can i solve in case i need different rules for one server and another for the other server, because here the inboun rule points to a virtual server and this one splits the traffic to each server.

My questionto all of this is because i wish to deploy Fortigate or Fortiwaf in google cloud and as you know, all the servers have different rules os esposure to inbound rules. 

Now i know that i can use this solution to protect my virtual machines, but i need to know how can i configure Fortinet to manage different rules for each destination server.

I hoe i was clear and i hope that there is a way to solve this.

ede_pfau
Esteemed Contributor III

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Debbie_FTNT
Staff
Staff

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors